The Dark Side of Tech: How CIOs Tackle Security Breaches

By Matt Bolch
published

The proliferation of technology on school campuses to ease the flow and dissemination of information is a cause for celebration among students, teachers and administrators.

But that celebration carries a dark side, the potential for fraud and abuse of wireless systems, the introduction of viruses, potential attacks by hackers and cheating by students. The job of CIO or IT director of a school or school system provides plenty of excitement—and much cause for trepidation.

Tech & Learning asked four technology directors about five security challenges that keep them up at night. Here's what they had to say:

Dwayne Alton, director of IT
School District of Lee County, Fort Myers, Fla.
107 schools (including charter schools), 80,000 students
Alton has spent seven years as director, moving up from positions as systems analyst and technology support manager.

  1. Proliferation of portable devices: Smartphones and cellular air cards allow users to bypass filtering software while accessing the network. "It's not a breach, but it is bypassing our acceptable use policy," Alton says. "We're looking at different methods to keep unapproved devices off the network."
  2. Malware: Working with Cisco Systems Inc. through CDW-G, the system allows vendors, consultants, media and others access to the public wireless network, which is filtered heavily and kept separate from the internal network.
  3. Wireless security: Again working with Cisco, the district has installed an intrusion detection system, which alerts IT staff when someone creates their own access point. The location of the point can be triangulated and jammed if necessary. "The first people we caught bringing in their own access point were state auditors," Alton says.
  4. Disaster recovery: This is a huge issue for systems in hurricane-prone South Florida. The system has used tape backup and a secure facility, but it's looking to real-time replication to a third-party site. The challenge is to find encryption software to make sure that data being transferred remain safe.
  5. Internal defenses: The biggest threat to security comes from employees, and Alton is looking at ways to limit access to internal staff so they can't use inside knowledge to compromise the system after leaving the system's employ. This hasn't happened yet, and Alton hopes that it never does.

Lenny Schad, CIO
Katy Independent School District, Katy, Texas
52 schools, 56,000 students
Schad has been with the Katy district since 2002 after a career in the oil and gas industry. The fast-growth district adds 3,000 students a year, opening four schools this fall.

  1. Password security: The district has taken several steps too increase accountability, control and system administration of passwords. Procedures include prompting employees to change passwords every 60-90 days, quick removal of user IDs from former employees, lockdown of login attempts after three failures, cleanup of access for employees who switch jobs and individual tracking of system administrators (i.e. not using master administrative passwords).
  2. External storage devices: The district has partnered with other ISDs in the Houston area, working with such vendors as Trend Micro Inc., CDW-G and Cisco Systems Inc. on a comprehensive software solution to alert support staff immediately when unauthorized devices are connected to the network. The solution also should immediately scan the device and shut the port down should malicious software be detected.
  3. Desktop/laptop security: Tech staffers are developing sticky notes with a cute saying to put on machines where the user is logged in but not at his desk to increase awareness about logging off.
  4. Remote access: The district has implemented a solution from Citrix Systems Inc. for remote access to monitor and track usage. "We feel we have a good handle on this," Schad says. "We allow a small group of tech people access to our (virtual private network)."
  5. Use policy: To set clear guidelines concerning hacking and appropriate-use issues, Schad is the executive sponsor of a cyber security task force, comprised of 10 ambassadors, to examine policies and raise awareness about the issue.

Slade James, IT director
Coronado Unified School District, Coronado, Calif.
Four schools on six campuses, 5,000 students
James has been with the district for four years and in the IT field for 13. In his former job, he was under a U.S. Navy contract to hack into its systems to unearth security flaws.

  1. Content filtering: The district uses iPrism from St. Bernard Software, which has been in place since James started. "We're still looking for better service," James says. "We think we can find something better, but cost remains an issue."
  2. Viruses: "I implemented NOD32 antivirus software from ESET in the first year I was here," James says. "They've exceeded expectations for service and support. I think it helps that they're a local company."
  3. Spam: Issues surrounding spam cost James's predecessor his job, so a tough solution was required. The district uses antispam software from Sophos Inc., which he says is largely effective. A rash of spam gets through every once in a while, but James says that the complaints about spam have stopped.
  4. Wireless access: Two campuses have both wired and wireless access, but James didn't anticipate faculty, students and administrators getting on to the system with personal laptops and smartphones. He's looking at a Microsoft ISA Server with Remote Authentication Dial-In User Service that combines a firewall, content filter, cache filter and wireless authentication through a user name and password.
  5. Unauthorized applications: The district is using Windows Active Directory to prevent the unauthorized use of software applications such as the Firefox web browser, which can be loaded from a thumb drive and circumvent the district's filtering technology. "It's a little annoying, to be honest," James says of the continued infiltrations. "We've got a good handle on it, though."

Scott Gutowski, CIO/director of IT
Lyford Cay International School, Nassau, The Bahamas
One school, nursery through 12, 320 students from 35 countries
Gutowski's decade-long career in IT has included working on the Hopi Indian Reservation in northeast Arizona before arriving in The Bahamas nearly three years ago.

  1. Outgoing traffic: Students and staff have their own accounts, and traffic is routed through a proxy server, then through SonicWALL Inc.'s content filter. Gutowski picked SonicWALL because of its widespread use in the government and education sectors.
  2. Filtering for appropriate content: Lyford Cay also uses SonicWALL to update content filters twice a month, checking for inappropriate language, nudity and other triggers. "I find it stays up to date on the most current Web site out there," Gutowski says. "That's tough to do if you're using point filtering."
  3. Monitoring/blocking outside activity: Entry points to the system are password protected, and passwords are changed frequently.
  4. Machine accountability: The school uses the PowerSchool student information system, a Web-based program for student records, report card information and other data so that information is not placed on a desktop or laptop that could be hacked into or stolen.
  5. Information protection outside the school facility: The school has a 1-to-1 laptop program, and the school is configuring those computers to go through the school's proxy services wherever they are used. "We had an incident this summer, where a parent found questionable material on a student's machine while it was home," Gutowski says. "Parental user inexperience is becoming the unspoken responsibility of the school."
Matt Bolch